"I think gravity took its course," says Agcaoili. "At the end of the day, no security organization I've been a part of has ever had infinite resources. Risk management was a way to ingest findings or issues, determine the risk to the company, and articulate to the business what the risks were. And it helped us prioritize with the business with what needed to get done."
Formal ERM programs have begun to show up in many organizations. Obviously, the components of these programs vary from place to place, industry to industry. But they all have at least one thing in common: They seek to ensure the success of the organization through "sound, proactive thinking and strategy relative to risk," according to David Sherry, CISO of Brown University.
"By identifying and quantifying the probability and impact of security events, the security mission is supported by language that the board can understand, without relying on fear, uncertainty and doubt," Sherry says.
Dennis Treece, director of corporate security for Massport--the public authority that oversees airports, seaports and many transportation services in Massachusetts--works with many departments and staff within his organization. Leading security for one of the most scrutinized transportation hubs in the world demands a risk strategy that encompasses both physical and digital security.
"To me, ERM implies an all-hazards approach that takes into account everything from utilities infrastructure failure to bad weather, to pandemics, to accidents, to building things on the cheap and poor maintenance, to terrorism," says Treece.
"Also, to me, ERM is collaboration among all the people who understand the risk components the organization faces and who are involved in the risk process, accept risk, or reduce it or transfer it--or any combination of those things."
Consequently, Treece's team comprises a diverse set of individuals. "The insurance broker here is on my team, the internal auditors are on my team, two legal counsel, police and rescue, the operations and facilities staff," Treece noted. "We cannot exist today without them because security is so technology-driven and -dependent."
But working with personnel from various departments is not without its challenges, both for the CSO and for the professionals who come from backgrounds not typically associated with security.
Dave Notch, who was until recently the CISO with business-data provider Thomson Reuters, says he saw the difficulties that can result when bringing in employees from other disciplines and trying to make them all part of one security and risk team. His experience tells him that a one-size-fits-all approach cannot work in many industries.
"One of the most direct examples was when we had discussions about integrating physical and IT security, which, ultimately, we never did," recalled Notch, who was responsible for managing the corporate programs for information security, business continuity, disaster recovery and technology-related audit and compliance activities. "But, I think regardless of which department they are coming from, it's difficult to find people that can cross those boundaries and talk about all areas of risk intelligently."
Sign up for CIO Asia eNewsletters.